CyberSecurity news

FlagThis - #china

djohnson@CyberScoop - 59d

China Hack US Treasury via BeyondTrust - Chinese state-sponsored threat actors compromised the US Treasury Department by exploiting a vulnerability in a third-party software provider, BeyondTrust, accessing employee workstations and exfiltrating unclassified documents.
The US Treasury Department has confirmed a major cyber incident involving Chinese state-sponsored hackers who gained unauthorized access to employee workstations and unclassified documents. The breach occurred after a third-party software provider, BeyondTrust, was compromised, allowing the attackers to obtain a security key used for remote technical support. This key enabled the hackers to bypass security measures and remotely access Treasury systems and exfiltrate sensitive information. The Treasury was notified of the breach on December 8th and has been working with the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and other agencies to investigate the full impact of the incident.

The compromised BeyondTrust service has since been taken offline, and there is currently no evidence to suggest the threat actors still have access to Treasury systems. The Treasury Department has classified the incident as a “major incident” and has reaffirmed its commitment to bolstering cybersecurity defenses, highlighting the importance of addressing third-party vulnerabilities. The breach follows a series of other recent cyberattacks linked to China, further raising concerns about the security posture of the US government.

Recommended read:
References :
  • CyberScoop: Treasury workstations hacked by China-linked threat actors
  • Federal News Network: Treasury says Chinese hackers remotely accessed workstations, documents in ‘major’ cyber incident
  • siliconangle.com: Third-party provider hack exposes US Treasury Department unclassified documents
  • Techmeme: Letter: the US Treasury says China-backed hackers gained access to some Treasury workstations and unclassified docs; a vendor notified it of the hack on Dec. 8 (Zack Whittaker/TechCrunch)
  • bsky.app: Chinese state-sponsored hackers broke into the U.S. Treasury Department this month and stole documents from its workstations, according to a letter to lawmakers
  • Chuck Darwin: US treasury’s workstations breached in cyber-attack by China – report A Chinese state-sponsored actor broke into the US treasury department earlier this month and stole documents from its workstations, according to a letter to lawmakers that was provided to Reuters on Monday.
  • www.theguardian.com: US treasury’s workstations breached in cyber-attack by China – report
  • techcrunch.com: US Treasury says China accessed government documents in ‘major’ cyberattack
  • cyberscoop.com: Treasury workstations hacked by China-linked threat actors
  • techcrunch.com: Letter: the US Treasury says China-backed hackers gained access to some Treasury workstations and unclassified docs; a vendor notified it of the hack on Dec. 8 (Zack Whittaker/TechCrunch)
  • International homepage: ‘In a letter to 🇺🇸 Senate banking committee seen by the Financial Times, the department said it had been informed on December 8 by software company BeyondTrust that a hacker had breached several remote government workstations by obtaining a security key and had in turn gained access to unclassified documents on them.’
  • www.benzinga.com: China-Linked Hackers Breach US Department Of Treasury
  • malware.news: Chinese-sponsored hackers accessed Treasury documents in ‘major incident’
  • www.cnn.com: CNN: China-backed hackers breached US Treasury workstations.
  • Michael West: Treasury says Chinese hackers accessed workstations
  • SiliconANGLE: Third-party provider hack exposes US Treasury Department unclassified documents
  • www.pymnts.com: Treasury Department Workstations Breached by Hackers via Third-Party Vendor
  • www.engadget.com: The US Treasury Department says it was hacked in a China-linked cyberattack
  • federalnewsnetwork.com: Treasury says Chinese hackers remotely accessed workstations, documents in ‘major’ cyber incident
  • WIRED: US Treasury Department confirms hack by China-backed group.
  • bsky.app: The U.S. Treasury announced a major cyberattack linked to a compromised API key from its contractor, BeyondTrust.
  • securityonline.info: Treasury Department Hit by Major Cybersecurity Incident, China Suspected
  • PYMNTS.com: Treasury Department Workstations Breached by Hackers via Third-Party Vendor
  • san.com: Chinese-sponsored hackers behind ‘major’ breach: Treasury Department
  • securityaffairs.com: China-linked threat actors breached the U.S. Treasury Department by hacking a remote support platform used by the agency.
  • Hong Kong Free Press HKFP: US Treasury says was targeted by China state-sponsored cyberattack.
  • The Hacker News: The United States Treasury Department said it suffered a 'major cybersecurity incident' that allowed suspected Chinese threat actors to remotely access some computers and unclassified documents.
  • Fortune | FORTUNE: Treasury Department says a China state-sponsored cyberattack gained access to workstations and documents
  • securityonline.info: Treasury Department Hit by Major Cybersecurity Incident, China Suspected
  • gbhackers.com: US Treasury Department Breach, Hackers Accessed Workstations.
  • SAN: Investigators accuse China of hacking U.S. Treasury Department computers.
  • blog.gitguardian.com: What Happened in the U.S. Department of the Treasury Breach? A Detailed Summary.
  • DataBreaches.Net: Chinese hackers breached Treasury Department workstations, documents in ‘major cybersecurity incident’.
  • go.theregister.com: US Treasury Department outs the blast radius of BeyondTrust's key leak
  • www.wired.com: US Department Admits It Got by Treasury says accessed “certain documents” in a “major” breach, but experts believe the attack’s impacts could prove to be more significant as new details emerge.
  • www.bleepingcomputer.com: US Treasury Department breached through remote support platform L: C: posted on 2024.12.31 at 21:39:28 (c=2, p=3)
  • Hacker News: US Treasury Department breached through remote support platform L: C: posted on 2024.12.31 at 21:39:28 (c=2, p=3)
  • OODAloop: What to know about string of US hacks blamed on China
  • Techmeme: Sources: Chinese government hackers breached the US Treasury Department's OFAC, which administers economic sanctions, and two other Treasury offices (Washington Post)
  • Dataconomy: According to the Washington Post Chinese government hackers compromised the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) in December, targeting intelligence related to economic sanctions, officials reported.
  • Carly Page: China-backed hackers reportedly compromised the US Treasury’s highly sensitive sanctions office during December cyberattack
  • techcrunch.com: Chinese government hackers targeted the U.S. Treasury’s highly sensitive sanctions office during a December cyberattack, according to reports.
  • techcrunch.com: Chinese government hackers targeted US Treasury’s sanctions office during December cyberattack
  • Cybernews: On Thursday, it was revealed that PRC-backed hackers behind last month’s US Treasury hack accessed some senior officials' laptops.
  • Bloomberg Technology: Sources: China-backed hackers accessed the computers of senior US Treasury officials; the department's email system and classified data were not breached (Bloomberg)
  • www.techmeme.com: Sources: China-backed hackers accessed the computers of senior US Treasury officials; the department's email system and classified data were not breached (Bloomberg)
  • Techmeme: Sources: China-backed hackers accessed the computers of senior US Treasury officials; the department's email system and classified data were not breached (Bloomberg)
  • The Hacker News: CISA: No Wider Federal Impact from Treasury Cyber Attack, Investigation Ongoing
  • www.helpnetsecurity.com: CISA says Treasury was the only US agency breached via BeyondTrust -backedattacks 'tmiss
  • www.the420.in: Chinese APT Exploits BeyondTrust Vulnerability to Breach U.S. Treasury Systems
  • Pyrzout :vm:: CISA says Treasury was the only US agency breached via BeyondTrust -backedattacks 'tmiss
  • Help Net Security: CISA says Treasury was the only US agency breached via BeyondTrust
  • industrialcyber.co: US Treasury sanctions Beijing’s Integrity Tech for Flax Typhoon cyber intrusions on critical infrastructure
  • ciso2ciso.com: CISA: Third-Party Data Breach Limited to Treasury Dept. – Source: www.darkreading.com
  • Latest from TechRadar: Chinese cybersecurity firm hit by US sanctions over ties to Flax Typhoon hacking group
@www.yahoo.com - 61d

Salt Typhoon Cyber Espionage on Telecoms - A cyberattack campaign called 'Salt Typhoon,' attributed to Chinese hackers, breached nine major U.S. telecommunications companies, stealing metadata and call content.
The China-linked Salt Typhoon hacking group successfully launched a cyber espionage campaign targeting major telecommunications companies AT&T and Verizon. The attackers aimed to gather foreign intelligence, although both companies have stated that their networks are now secure. This incident highlights the ongoing threat of state-sponsored cyber espionage targeting critical infrastructure and telecommunications providers. The initial breach was achieved by exploiting vulnerabilities in network infrastructure, and although the networks are now secure, it emphasizes the need for continuous monitoring and robust security measures to detect and mitigate these threats.

Recommended read:
References :
  • Threats | CyberScoop: White House: Salt Typhoon hacks possible because telecoms lacked basic security measures
  • Fortune | FORTUNE: Chinese spies infiltrated yet another U.S. telecom and accessed private conversations, White House says
  • BleepingComputer: A White House official has added a ninth U.S. telecommunications company to the list of telecoms breached in a Chinese hacking campaign that impacted dozens of countries.
  • Techmeme: The US says it has identified a ninth telecom company impacted by the Salt Typhoon hacks, and the number of individuals directly impacted is "less than 100"
  • www.bleepingcomputer.com: A White House official has added a ninth U.S. telecommunications company to the list of telecoms breached in a Chinese hacking campaign that impacted dozens of countries.
  • Techmeme: The US says it has identified a ninth telecom company impacted by the Salt Typhoon hacks, and the number of individuals directly impacted is "less than 100"
  • Pyrzout :vm:: A 9th Telecoms Firm Has Been Hit by a Massive Chinese Espionage Campaign, the White House Says -State
  • www.techmeme.com: AT&T and Verizon say their networks are now clear after the Salt Typhoon intrusion; AT&T says a few "individuals of foreign intelligence interest" were targeted (Kelcee Griffis/Bloomberg)
  • Techmeme: AT&T and Verizon say their networks are now clear after the Salt Typhoon intrusion; AT&T says a few "individuals of foreign intelligence interest" were targeted (Kelcee Griffis/Bloomberg)
  • Bloomberg Technology: AT&T and Verizon say their networks are now clear after the Salt Typhoon intrusion; AT&T says a few "individuals of foreign intelligence interest" were targeted (Kelcee Griffis/Bloomberg)
  • gbhackers.com: AT&T and Verizon Hacked – Salt Typhoon Compromised The Network For High Profiles
  • www.yahoo.com: Chinese Salt Typhoon cyberespionage targets AT&T, Verizon but networks secure, carriers say
  • securityaffairs.com: China-linked APT Salt Typhoon breached a ninth U.S. telecommunications firm
  • gbhackers.com: AT&T and Verizon Hacked – Salt Typhoon Compromised The Network For High Profiles
  • BleepingComputer: AT&T and Verizon confirmed they were breached in a massive Chinese espionage campaign targeting telecom carriers worldwide but said the hackers have now been evicted from their networks.
  • techcrunch.com: TechCrunch article on AT&T and Verizon saying networks are secure after being breached by China-linked Salt Typhoon hackers.
  • cyberinsider.com: AT&T and Verizon Declare Networks Secure After Salt Typhoon Attacks
  • techcrunch.com: Verizon says it has secured its network after breach by China-linked Salt Typhoon group
  • www.bleepingcomputer.com: AT&T and Verizon confirmed they were breached in a massive Chinese espionage campaign targeting telecom carriers worldwide but said the hackers have now been evicted from their networks.
  • Zack Whittaker: New by : U.S. phone giants AT&T and Verizon say their networks are free from the Salt Typhoon hackers. Both networks said a few customers had their communications compromised during the hacking campaign.
  • systemweakness.com: What we learned from salt typhoon telecoms operation
  • Cord Cutters News: AT&T & Verizon Confirm Security Breach, But Assure Customers That The Networks Are Now Secure
  • CyberInsider: CyberInsider article on AT&T and Verizon declaring networks secure after Salt Typhoon attacks.
  • CNET: CNet article on AT&T and Verizon declaring their networks secure amid Salt Typhoon cyberattack.
  • Latest from TechRadar: TechRadar article on AT&T and Verizon saying they're free of Salt Typhoon hacks at last.
  • The Register: More telcos confirm Salt Typhoon breaches as White House weighs in The intrusions allowed Beijing to 'geolocate millions of individuals' AT&T, Verizon, and Lumen Technologies confirmed that Chinese government-backed snoops accessed portions of their systems earlier this year, while the White House added another, yet-unnamed telecommunications company to the list of those bre…
  • go.theregister.com: More telcos confirm Salt Typhoon breaches as White House weighs in
  • Hacker News: More telcos confirm Salt Typhoon breaches as White House weighs in L: C: posted on 2024.12.30 at 20:52:06 (c=0, p=5)
  • www.theregister.com: More telcos confirm Salt Typhoon breaches as White House weighs in L: C: posted on 2024.12.30 at 20:52:06 (c=0, p=5)
  • malware.news: Another US telco breached by Salt Typhoon as AT&T, Verizon acknowledge compromise
  • The Register - Security: More telcos confirm Salt Typhoon breaches as White House weighs in
  • Strypey: "This week the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA) and partner agencies in New Zealand, Australia and Canada began advocating for the use of end-to-end encrypted (E2EE) communications. The move is in reaction to law enforcement backdoors in the public telephone network - including AT&T, Verizon and T-Mobile - being hijacked by Salt Typhoon; a cyberattack group believed to be operated by the Chinese government."
  • www.scworld.com: Another US telco breached by Salt Typhoon as AT&T, Verizon acknowledge compromise
  • ciso2ciso.com: More telcos confirm Salt Typhoon breaches as White House weighs in – Source: go.theregister.com
  • techcrunch.com: US telco Lumen says its network is now clear of China’s Salt Typhoon hackers
  • ciso2ciso.com: More telcos confirm Salt Typhoon breaches as White House weighs in – Source: go.theregister.com
  • Pyrzout :vm:: More telcos confirm Salt Typhoon breaches as White House weighs in – Source: go.theregister.com
@www.fda.gov - 27d

Patient Monitors Backdoor Leaks Data to China - A backdoor in Contec CMS8000 patient monitors allows remote code execution and data exfiltration to a hardcoded IP address in China, posing risks to patient safety and data privacy.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued warnings regarding a critical security flaw in Contec CMS8000 patient monitors. These monitors, manufactured by a Chinese company, contain a hidden backdoor that allows for unauthorized remote access. This backdoor enables the devices to connect to a hard-coded IP address located at a third-party university in China, potentially allowing the download and execution of unverified files. The vulnerability, tracked as CVE-2025-0626 and CVE-2025-0683, impacts all analyzed firmware versions of the device.

The discovered backdoor poses a significant risk to patient safety and data privacy. It allows malicious actors to modify device settings, execute arbitrary code, and alter displayed vital signs. Furthermore, patient data, including personal and health information, is being sent in plain text to the hardcoded IP address. This unauthorized exfiltration of sensitive information and the potential for device manipulation could lead to improper medical responses and endanger patient well-being. CISA has stated that the backdoor is unlikely to be a normal update mechanism, noting it lacks any integrity-checking or version tracking, making it difficult for hospitals to detect compromised devices.

Recommended read:
References :
  • BleepingComputer: The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device.
  • : CISA : CISA has an 11 page warning that a patient monitor known as Contec CMS8000 has an embedded backdoor with a hardcoded IP address which enables patient data spillage, or remote code execution (CISA puts forth a scenario where the device is altered to display inaccurate patient vital signs, which poses a serious risk to patient's safety).
  • BleepingComputer: Backdoor found in two healthcare patient monitors, linked to IP in China
  • www.bleepingcomputer.com: The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device.
  • www.helpnetsecurity.com: Patient monitors with backdoor are sending info to China, CISA warns
  • socradar.io: CISA Warns of Backdoor in Contec CMS8000 Patient Monitors
  • The Hacker News: CISA and FDA Warn of Critical Backdoor in Contec CMS8000 Patient Monitors
  • cyberinsider.com: CISA issues a warning about a backdoor in Contec CMS8000 patient monitors, highlighting the risk of remote code execution and patient data exfiltration.
  • Help Net Security: Patient monitors with backdoor are sending info to China, CISA warns.
  • thecyberexpress.com: Critical Flaws in Contec CMS8000 Allow Remote Code Execution and Patient Data Theft
  • CyberInsider: Contec Monitors Used in U.S. Hospitals Carry Chinese Backdoor
  • securityaffairs.com: The U.S. CISA and the FDA warned of a hidden backdoor in Contec CMS8000 and Epsimed MN-120 patient monitors.
  • : Information about the backdoor found in Contec patient monitors.
  • securityonline.info: The Contec CMS8000 patient monitors are vulnerable to remote attacks.
  • ciso2ciso.com: Backdoor in Chinese-made healthcare monitoring device leaks patient data – Source: www.csoonline.com
  • securityboulevard.com: Critical ‘Backdoor’ Discovered in Widely Used Healthcare Patient Monitors
  • www.csoonline.com: Contec CMS8000 patient monitors are found to have a hidden backdoor that transmits patient data to a hardcoded IP address and executes files remotely.
  • Security Boulevard: Critical ‘Backdoor’ Discovered in Widely Used Healthcare Patient Monitors
  • therecord.media: CyberScoop article about the vulnerabilities in the monitors.
  • Pyrzout :vm:: Contec CMS8000 patient monitors contain a hidden backdoor – Source: securityaffairs.com
  • ciso2ciso.com: Contec CMS8000 patient monitors contain a hidden backdoor – Source: securityaffairs.com
  • securityboulevard.com: Healthcare Crisis Emerges: Cybersecurity Vulnerabilities in Patient Monitors Confirmed by FDA
  • Vulnerability-Lookup: A new bundle, CISA Releases Fact Sheet Detailing Embedded Backdoor Function of Contec CMS8000 Firmware, has been published on Vulnerability-Lookup:
  • securityonline.info: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical security alert regarding the Contec CMS8000 patient monitors.
  • securityonline.info: CISA Warns of Hidden Backdoor in Contec CMS8000 Patient Monitors
  • www.cysecurity.news: The U.S. Food and Drug Administration (FDA) has issued a safety communication highlighting cybersecurity vulnerabilities in certain patient monitors manufactured by Contec and relabeled by Epsimed.
  • ciso2ciso.com: This news alert brings light to a critical backdoor discovered in widely used healthcare patient monitors.
  • ciso2ciso.com: Critical ‘Backdoor’ Discovered in Widely Used Healthcare Patient Monitors
  • Security Boulevard: CISA/FDA Warn: Chinese Patient Monitors Have BAD Bugs
  • securityboulevard.com: CISA/FDA Warn: Chinese Patient Monitors Have BAD Bugs
  • claroty.com: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated…
  • www.heise.de: Medical surveillance monitor: Backdoor discovered in Contec CMS8000 Attackers can attack medical hardware from Contec. This can result in malicious code getting onto devices. There has been no security update to date.
  • : Claroty : There was increased interest in healthcare industry's patient monitors after CISA warned on 31 January 2025 that . Claroty's Team82 actually previously investigated the firmware and reached the conclusion that it is most likely not a hidden backdoor, but instead an insecure/vulnerable design that introduces great risk to the patient monitor users and hospital networks. Their conclusion is mainly based on the fact that the vendor—and resellers who re-label and sell the monitor—list the IP address in their manuals and instruct users to configure the Central Management System (CMS) with this IP address within their internal networks. h/t: ; cc: Note: there's associated vulnerabilities: (CVSSv4: 7.7/v3.1: 7.5 high) Hidden Functionality vulnerability in Contec Health CMS8000 Patient Monitor (CVSSv4: 8.2 high/v3.1: 5.9 medium) Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Contec Health CMS8000 Patient Monitor
MalBot@malware.news - 40d

US Treasury Hacked by Chinese APT Group - The US Treasury Department sanctioned a Chinese cybersecurity firm and a hacker for involvement in cyberattacks, compromising sensitive data at the Treasury and major telecom companies.
The US Treasury Department has sanctioned a Chinese cybersecurity firm, Sichuan Juxinhe Network Technology Co., and a Shanghai-based hacker, Yin Kecheng, for their involvement in significant cyberattacks. These attacks compromised sensitive systems at the Treasury Department and major US telecommunication companies and ISPs. Sichuan Juxinhe is linked to the Salt Typhoon hacking group, which has infiltrated numerous US telecom companies and ISPs intercepting sensitive data from high-value political officials and communication platforms. Yin Kecheng, connected to the Chinese Ministry of State Security (MSS), is associated with the recent breach of the Treasury's network, impacting systems involved in sanctions and foreign investment reviews.

The Treasury's systems, including those used by Secretary Janet Yellen, were accessed during the breach resulting in the theft of over 3,000 files. The stolen data included policy documents, organizational charts, and information on sanctions and foreign investment. The cyber activity has been attributed to the Salt Typhoon group, alongside a related group known as Silk Typhoon (formerly Hafnium), which exploited vulnerabilities in Microsoft Exchange Server and used compromised APIs. The Treasury Department stated that it will continue using its authority to hold accountable malicious actors that target American people and the US government.

Recommended read:
References :
  • malware.news: US Sanctions Chinese firm behind sweeping Salt Typhoon telecom hacks
  • The Hacker News: U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon
  • BleepingComputer: US sanctions Chinese firm, hacker behind telecom and Treasury hacks
  • ciso2ciso.com: US Sanctions Chinese Hacker & Firm for Treasury, Critical Infrastructure Breaches – Source: www.darkreading.com
  • ciso2ciso.com: US sanctions Chinese hacker & firm for Treasury, critical infrastructure breaches
  • : U.S. Treasury : Treasury's OFAC is sanctioning Yin Kecheng, a Shanghai-based cyber actor who was involved with the recent Department of the Treasury network compromise.
  • ciso2ciso.com: U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon – Source:thehackernews.com
  • www.bleepingcomputer.com: US sanctions Chinese firm, hacker behind telecom and Treasury hacks
  • securityaffairs.com: U.S. Treasury Sanctions Chinese cybersecurity firm and actor over federal agency breach tied to Salt Typhoon
  • ciso2ciso.com: Treasury Levels Sanctions Tied to a Massive Hack of Telecom Companies and Breach of Its Own Network – Source: www.securityweek.com
  • Pyrzout :vm:: Treasury Levels Sanctions Tied to a Massive Hack of Telecom Companies and Breach of Its Own Network – Source: www.securityweek.com
  • ciso2ciso.com: The U.S. Treasury’s OFAC sanctioned a Chinese cybersecurity firm and a Shanghai cyber actor for ties to Salt Typhoon and a federal agency breach.
  • www.tomshardware.com: News report on Chinese hackers infiltrating US Treasury Secretary's PC and gaining access to over 400 PCs.
  • ciso2ciso.com: U.S. Treasury Sanctions Chinese cybersecurity firm and actor over federal agency breach tied to Salt Typhoon
  • www.nextgov.com: US Treasury Department sanctions imposed for Salt Typhoon's involvement.
  • www.nextgov.com: The Treasury Department's sanctions follow a major hack targeting telecommunications companies and potentially impacting high-value political officials.
  • Threats | CyberScoop: Treasury sanctions Chinese cybersecurity company, affiliate for Salt Typhoon hacks.
  • cyberscoop.com: Treasury sanctions Chinese cybersecurity company, affiliate for Salt Typhoon hacks
  • thecyberexpress.com: U.S. Treasury sanctions Salt Typhoon hackers
  • www.csoonline.com: The US is hitting back against the threat group, dubbed Salt Typhoon by Microsoft, which is allegedly behind recent cyber attacks against American telecommunications providers, as part of a wider campaign against Chinese-based hacking.
  • Security Affairs: The US Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned Chinese firm Sichuan Juxinhe Network Technology Co., LTD.
  • Security Boulevard: U.S. Treasury Sanctions Chinese Individual, Company for Data Breaches
@therecord.media - 43d

DOJ Removes China's PlugX Malware from US Computers - The US DOJ and FBI removed PlugX malware from over 4,200 infected US computers, targeting command and control infrastructure of China-linked actors.
The U.S. Department of Justice, working with the FBI, has successfully removed the PlugX malware from over 4,250 infected computers within the United States. This multi-month operation targeted the command and control infrastructure used by hackers linked to the People's Republic of China (PRC). PlugX, a remote access trojan (RAT), has been used by the group known as Mustang Panda, or Twill Typhoon, since 2014, to infiltrate systems and steal information from victims across the U.S., Europe, and Asia, as well as Chinese dissident groups. The Justice Department obtained court orders to authorize the operation and eliminate the malware, which is known for its capability to remotely control and extract information from compromised devices. This action aimed to disrupt the ability of state-sponsored cyber threat actors from further malicious activities on affected networks.

The removal of PlugX involved a self-delete command that was developed by French cybersecurity firm Sekoia. The FBI tested the method before deploying it. This command deleted the malware from infected computers without impacting their legitimate functions or collecting any further content. The operation was conducted in partnership with French law enforcement, which also identified a botnet of infected devices in its own investigation. This international cooperation highlights the ongoing efforts to counteract nation-state cyber threats and protect U.S. cybersecurity. The owners of the affected devices have been notified of the actions through their internet service providers.

Recommended read:
References :
  • ciso2ciso.com: FBI Wraps Up Eradication Effort of Chinese ‘PlugX’ Malware – Source: www.darkreading.com
  • Threats | CyberScoop: Law enforcement action deletes PlugX malware from thousands of machines
  • The Hacker News: FBI Deletes PlugX Malware from 4,250 Hacked Computers in Multi-Month Operation
  • therecord.media: The Record reports DOJ deletes China-linked PlugX malware.
  • discuss.privacyguides.net: FBI Deletes PlugX Malware from 4,250 Hacked Computers in Multi-Month Operation
  • securityonline.info: “PlugX” Malware Deleted from Thousands of Computers in Global Operation
  • www.justice.gov: Justice.gov press release on international operation to delete PlugX malware.
  • www.scworld.com: Widespread PlugX malware compromise eradicated in law enforcement operation
  • securityaffairs.com: FBI deleted China-linked PlugX malware from over 4,200 US computers
  • CyberInsider: FBI Neutralizes PlugX Malware on 4,200 Computers in the U.S.
  • securityboulevard.com: Security Boulevard article on FBI Deletes PlugX Malware From Computers Infected by China Group
  • securityonline.info: “PlugX” Malware Deleted from Thousands of Computers in Global Operation
  • www.helpnetsecurity.com: FBI removed PlugX malware from U.S. computers
  • The Verge: FBI hacked thousands of computers to make malware uninstall itself
  • malware.news: PlugX malware deleted from thousands of systems by FBI
  • Malwarebytes: Malwarebytes blog post on PlugX removal operation.
  • www.bleepingcomputer.com: BleepingComputer reports on FBI wipes Chinese PlugX malware from over 4,000 US computers
  • www.techmeme.com: The US says the FBI hacked ~4.2K devices in the US to delete PlugX, malware used by China-backed hackers since 2014, after obtaining warrants in August 2024 (Carly Page/TechCrunch)
  • ciso2ciso.com: FBI Wraps Up Eradication Effort of Chinese ‘PlugX’ Malware – Source: www.darkreading.com
  • cyberpress.org: Cyberpress.org article about 4,000+ PCs Infected by Chinese Hackers with PlugX Malware
@cyberscoop.com - 14d

Salt Typhoon's Ongoing Telecom Attacks - Chinese nation-state actor Salt Typhoon targets telecommunications providers, breaching five firms between December 2024 and January 2025, exploiting Cisco vulnerabilities despite sanctions.
The Chinese nation-state hacking group Salt Typhoon, despite facing US sanctions, continues to actively target telecommunications providers. Between December 2024 and January 2025, Recorded Future observed Salt Typhoon breaching five telecom firms, including a US-based affiliate of a UK telecom provider, a US internet service provider, and companies in Italy, South Africa, and Thailand. The group also performed reconnaissance on a Myanmar-based telecom provider.

Salt Typhoon exploited vulnerabilities in Cisco IOS XE software, specifically CVE-2023-20198 and CVE-2023-20273, to compromise unpatched Cisco devices. They attempted to compromise over 1,000 Cisco routers globally, focusing on those within telecom networks. Additionally, Salt Typhoon targeted universities, including the University of California and Utah Tech, potentially seeking access to research related to telecommunications and engineering.

Recommended read:
References :
  • cyberscoop.com: Salt Typhoon remains active, hits more telecom networks via Cisco routers
  • The Register - Security: More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
  • Carly Page: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions. Recorded Future says Salt Typhoon breached five firms between December and January, including a US affiliate of a prominent UK provider and a US-based ISP
  • techcrunch.com: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions.
  • www.wired.com: Wired's coverage of Salt Typhoon's ongoing hacking activities.
  • Threats | CyberScoop: Salt Typhoon remains active, hits more telecom networks via Cisco routers
  • cyberinsider.com: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
  • securebulletin.com: RedMike (Salt Typhoon) continues global Telecom attacks
  • CyberInsider: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
  • Secure Bulletin: Report on RedMike's continued attacks on telecom providers.
  • Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks [exp] [net]
  • Talkback Resources: Chinese state-sponsored APT group Salt Typhoon targets telecommunications providers and universities by exploiting Cisco vulnerabilities, creating privileged accounts, bypassing firewalls, and exfiltrating data using GRE tunnels, prompting organizations to patch devices, enforce access controls, and monitor for unauthorized changes.
  • Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
  • PCMag UK security: China's Salt Typhoon Spies Are Still Eavesdropping on Global Networks
  • ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
  • ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks – Source: www.securityweek.com
  • securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
  • securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
  • BleepingComputer: China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
  • industrialcyber.co: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
  • securityonline.info: Cybersecurity researchers at Insikt Group have identified an ongoing cyber espionage campaign by RedMike (also tracked as Salt Typhoon).
  • Industrial Cyber: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
  • SecureWorld News: Salt Typhoon Expands Espionage Campaign, Targets Cisco Routers
  • Cisco Talos Blog: Weathering the storm: In the midst of a Typhoon
  • cyberscoop.com: Cisco Talos observed the campaign targeting major U.S. telecommunication companies and observed the attackers primarily used legitimate login credentials to gain initial access, making detection and prevention difficult.
  • cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
  • securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
@securityonline.info - 49d

MirrorFace APT Cyber Espionage Campaign Against Japan - The MirrorFace APT, linked to China, has been conducting cyber espionage against Japan since 2019 using malware and VPN exploits to steal sensitive information from government, defense, and technology sectors.
References: , securityonline.info , The Hacker News ...
Japan's National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) have issued a warning about a prolonged cyber-attack campaign against organizations, businesses, and individuals in Japan since 2019. The attacks are attributed to the Chinese cyber espionage group known as MirrorFace, also called Earth Kasha, which is believed to be a subgroup of APT10. This group aims to steal sensitive information related to Japan’s national security and advanced technologies. The group has been seen targeting a wide range of sectors, including government bodies, defense, aerospace, semiconductor, communications, research organizations and the media.

MirrorFace has conducted several campaigns, including spear-phishing emails with malware attachments, exploiting VPN vulnerabilities, and using advanced techniques like abusing Windows Sandbox for malware execution and leveraging Visual Studio Code's development tunnels for stealthy remote control. The group deploys tools such as LODEINFO, ANEL, LilimRAT, NOOPDOOR and Cobalt Strike Beacon. The NPA has linked MirrorFace to over 200 cyber incidents in the past five years. Authorities have raised concerns about the sophisticated techniques and the focus on infiltrating Japanese national security and advanced technology sectors, and are working to mitigate the risks.

Recommended read:
References :
  • : National Police Agency (Japan): (Japanese language) See parent toot above. The National Police Agency and the National Center of Incident Readiness and Strategy for Cybersecurity have assessed that a cyber attack campaign against organizations, businesses and individuals in Japan from around 2019 to the present has been carried out by a cyber attack group called "MirrorFace" (also known as "Earth Kasha").
  • securityonline.info: MirrorFace: Unmasking the Chinese Cyber Espionage Group Targeting Japan
  • ciso2ciso.com: Japan Faces Prolonged Cyber-Attacks Linked to China’s MirrorFace – Source: www.infosecurity-magazine.com
  • The Hacker News: MirrorFace Leverages ANEL and NOOPDOOR in Multi-Year Cyberattacks on Japan
  • ciso2ciso.com: Japanese police claim China ran five-year cyberattack campaign targeting local orgs – Source: go.theregister.com
  • www.npa.go.jp: National Police Agency (Japan): (Japanese language) See parent toot above.
  • Techmeme: Japan says Chinese hacking group MirrorFace is linked to 200+ cyberattacks from 2019 to 2024 targeting the country's national security and advanced tech data (Mari Yamaguchi/Associated Press)
  • ciso2ciso.com: Chinese APT Group Is Ransacking Japan’s Secrets – Source: www.darkreading.com
  • ciso2ciso.com: Japan Faces Prolonged Cyber-Attacks Linked to China’s MirrorFace – Source: www.infosecurity-magazine.com
  • www.scworld.com: Years-long hacking spree against Japan linked to Chinese hackers
  • ciso2ciso.com: Japanese police claim China ran five-year cyberattack campaign targeting local orgs – Source: go.theregister.com
  • Pyrzout :vm:: Japanese police claim China ran five-year cyberattack campaign targeting local orgs
  • Latest from TechRadar: Japan says Chinese hackers have launched hundreds of attacks against targets in the country | Hacking group ‘MirrorFace’ accused of hitting dozens of targets
  • securityaffairs.com: Japanese authorities attribute a cyber-espionage campaign targeting the country to the China-linked APT group MirrorFace.
Juan Perez@Tenable Blog - 5d

Ghost Ransomware Group Targets Unpatched Software - The Ghost ransomware group exploits known vulnerabilities in software and firmware, targeting internet-facing services and compromising organizations across multiple industries and countries.
The Ghost (Cring) ransomware group, known for exploiting vulnerabilities in software and firmware, remains a significant threat as of January 2025. A joint cybersecurity alert from the FBI, CISA, and other partners warns the global cyber defender community of increasing attacks from this financially motivated group. CISA issued a joint advisory on February 19, 2025, emphasizing the group's ongoing activity.

The Ghost (Cring) ransomware first appeared in early 2021 and has impacted organizations across more than 70 countries by compromising vulnerable, internet-facing services. Security measures such as patching known vulnerabilities and implementing basic infosec actions are crucial in defending against these attacks. The SOC Prime Platform has curated Sigma rules to help detect Ghost (Cring) ransomware activity.

Recommended read:
References :
  • SecureWorld News: The FBI, CISA, and MS-ISAC have issued a joint cybersecurity advisory warning organizations about Ghost (Cring) ransomware, a sophisticated cyber threat that has been compromising critical infrastructure, businesses, and government entities worldwide.
  • Tenable Blog: Rapid7 discusses Ghost Ransomware group targeting known Vulns.
  • aboutdfir.com: The operators of Ghost ransomware continue to claim victims and score payments, but keeping the crooks at bay is possible by patching known vulnerabilities and some basic infosec actions.
  • Resources-2: Picus Security provides Ghost (Cring) Ransomware Analysis, Simulation, and Mitigation.
  • socprime.com: Ghost (Cring) Ransomware Detection: The FBI, CISA, and Partners Warn of Increasing China-Backed Group’s Attacks for Financial Gain
  • SOC Prime Blog: The FBI, CISA, and partners have recently issued a joint cybersecurity alert warning the global cyber defender community of increasing Ghost (Cring) ransomware attacks aimed at financial gain.
  • thecyberexpress.com: A Ghost ransomware group also referred to as Cring, has been actively exploiting vulnerabilities in software and firmware as recently as January 2025.
  • Security Boulevard: [CISA AA25-050A] #StopRansomware: Ghost (Cring) Ransomware
  • www.attackiq.com: CISA AA25-050A] #StopRansomware: Ghost (Cring) Ransomware
  • industrialcyber.co: CISA, FBI, MS-ISAC warn of Ghost ransomware
  • aboutdfir.com: The operators of Ghost ransomware continue to claim victims and score payments, but keeping the crooks at bay is possible by patching known vulnerabilities and some basic infosec actions, according to a joint advisory issued Wednesday by the FBI and US Cybersecurity and
  • securebulletin.com: Secure Bulletin provides an analysis of tactics, targets, and techniques used by Ghost Ransomware.
  • Secure Bulletin: Securebulletin article on Ghost Ransomware
  • The Register - Security: Ghost ransomware crew continues to haunt IT depts with scarily bad infosec
  • cyble.com: FBI-CISA Ghost Ransomware Warning Shows Staying Power of Old Vulnerabilities
  • aboutdfir.com: News article covering the joint advisory from CISA and the FBI on the Ghost/Cring ransomware.
@github.com - 66d

Acclaim USAHERDS Flaw Actively Exploited - CISA has added CVE-2024-XXXX, a vulnerability in Acclaim Systems USAHERDS to its Known Exploited Vulnerabilities catalog which is being exploited by a Chinese state-sponsored group.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a critical vulnerability in the Acclaim Systems USAHERDS web application. This flaw, identified as CVE-2021-44207, has been actively exploited and carries a high severity score of 8.1. The vulnerability stems from the use of static ValidationKey and DecryptionKey values which are used to secure the ViewState feature, allowing malicious actors to craft malicious payloads that can bypass integrity checks. Exploiting this flaw allows attackers to execute arbitrary code on the affected server, potentially compromising the entire system and its network.

The vulnerability impacts Acclaim USAHERDS versions 7.4.0.1 and earlier, released prior to November 2021. CISA has added this flaw to its Known Exploited Vulnerabilities catalog, further underscoring the urgency of this security risk. Federal agencies are urged to apply the necessary patches and remediation by January 13, 2025. It has also been noted that APT41, a Chinese state-sponsored espionage group, has been linked to exploiting this vulnerability to compromise U.S. state government networks.

Recommended read:
References :
  • cloud.google.com: CISA : (8.1 high) Acclaim Systems USAHERDS Use of Hard-Coded Credentials Vulnerability
  • : CISA : (8.1 high) Acclaim Systems USAHERDS Use of Hard-Coded Credentials Vulnerability
  • securityaffairs.com: U.S. CISA adds Acclaim Systems USAHERDS flaw to its Known Exploited Vulnerabilities catalog
  • securityonline.info: CVE-2021-44207: Vulnerability in Acclaim USAHERDS Actively Exploited, CISA Warns
  • securityonline.info: CVE-2021-44207: Vulnerability in Acclaim USAHERDS Actively Exploited, CISA Warns
  • thecyberexpress.com: The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new vulnerability, CVE-2021-44207, to its Known Exploited Vulnerabilities (KEV) Catalog.
  • The Hacker News: CISA Adds Acclaim USAHERDS Vulnerability to KEV Catalog Amid Active Exploitation
  • ciso2ciso.com: U.S. CISA adds Acclaim Systems USAHERDS flaw to its Known Exploited Vulnerabilities catalog – Source: securityaffairs.com
  • ciso2ciso.com: U.S. CISA adds Acclaim Systems USAHERDS flaw to its Known Exploited Vulnerabilities catalog
  • Osint10x: CISA Adds Acclaim USAHERDS Vulnerability to KEV Catalog Amid Active Exploitation
  • osint10x.com: CISA Adds Acclaim USAHERDS Vulnerability to KEV Catalog Amid Active Exploitation
TIGR Threat Watch@Security Risk Advisors - 76d

Chinese Law Enforcement Uses EagleMsgSpy Tool - A new mobile surveillance tool named 'EagleMsgSpy' used by Chinese law enforcement gathers data from Android devices, raising privacy concerns.
A new mobile surveillance tool called EagleMsgSpy has been discovered by security researchers, revealing its use by Chinese law enforcement to gather extensive data from Android devices. The tool, operational since at least 2017, is believed to be developed by Wuhan Chinasoft Token Information Technology Co., Ltd. EagleMsgSpy requires physical access to a device for installation of a stealthy surveillance module. Once installed, it collects a wide range of sensitive user data, including chat messages, screen recordings, audio, call logs, contacts, SMS, location data, and network activity. This data is then transmitted to a command-and-control server.

The EagleMsgSpy tool also leverages Notification Listener and Accessibility Services to monitor device activity and intercept messages from popular apps like QQ, Telegram, Viber, WhatsApp, and WeChat. The installer component suggests the tool is likely used by multiple customers, requiring a "channel" or "account" input upon installation. Researchers also observed an evolution in the sophistication of obfuscation and storage of encrypted keys over time. The tool appears designed for judicial monitoring, allowing remote installation and data collection without user knowledge. The discovery raises significant concerns about privacy and the potential misuse of gathered information.

Recommended read:
References :
  • gbhackers.com: New Chinese Surveillance Tool Attack Android Users Since 2017
  • securityaffairs.com: Experts discovered surveillance tool EagleMsgSpy used by Chinese law enforcement
  • techcrunch.com: Security researchers at Lookout have uncovered a new surveillance tool that they say has been used by Chinese law enforcement to collect sensitive information from Android devices in China
  • Security Risk Advisors: Chinese Surveillance Tool EagleMsgSpy Uncovered by Lookout Researchers
@www.bleepingcomputer.com - 6d

Chinese APT Groups Target Telecom (and) Healthcare - Chinese APT groups are targeting U.S. telecom providers and European healthcare organizations using custom malware and exploiting vulnerabilities to steal data and potentially deploy ransomware.
Chinese APT groups are actively targeting U.S. telecom providers and European healthcare organizations using sophisticated cyberattacks. The attacks involve custom malware, such as JumbledPath used by Salt Typhoon to spy on U.S. telecom networks, and the exploitation of vulnerabilities like the Check Point flaw (CVE-2024-24919). These campaigns are characterized by the deployment of advanced tools like ShadowPad and NailaoLocker ransomware, indicating a blend of espionage and financially-motivated cybercrime.

These threat actors gain initial access through exploited vulnerabilities, then move laterally within the networks using techniques like RDP to obtain elevated privileges. The attackers then deploy ShadowPad and PlugX, before deploying the NailaoLocker ransomware in the final stages, encrypting files and demanding Bitcoin payments. These findings highlight the evolving tactics of Chinese APT groups and the challenges in attributing these attacks, given the blurring lines between state-sponsored espionage and financially driven operations.

Recommended read:
References :
@www.ghacks.net - 18d

DeepSeek's Privacy Concerns - The iOS version of the DeepSeek AI chatbot transmits user data unencrypted to ByteDance servers, raising privacy concerns and prompting calls for a ban on government devices.
Recent security analyses have revealed that the iOS version of DeepSeek, a widely-used AI chatbot developed by a Chinese company, transmits user data unencrypted to servers controlled by ByteDance. This practice exposes users to potential data interception and raises significant privacy concerns. The unencrypted data includes sensitive information such as organization identifiers, software development kit versions, operating system versions, and user-selected languages. Apple's App Transport Security (ATS), designed to enforce secure data transmission, has been globally disabled in the DeepSeek app, further compromising user data security.

Security experts from NowSecure recommend that organizations remove the DeepSeek iOS app from managed and personal devices to mitigate privacy and security risks, noting that the Android version of the app exhibits even less secure behavior. Several U.S. lawmakers are advocating for a ban on the DeepSeek app on government devices, citing concerns over potential data sharing with the Chinese government. This mirrors previous actions against other Chinese-developed apps due to national security considerations. New York State has already banned government employees from using the DeepSeek AI app amid these concerns.

Recommended read:
References :
  • cset.georgetown.edu: China’s ability to launch DeepSeek’s popular chatbot draws US government panel’s scrutiny
  • PCMag Middle East ai: House Bill Proposes Ban on Using DeepSeek on Government-Issued Devices
  • Information Security Buzz: Recent security analyses have found that the iOS version of DeepSeek transmits user data unencrypted.
  • www.ghacks.net: Security analyses revealed unencrypted data transmission by DeepSeek's iOS app.
  • iHLS: Article about New York State banning the DeepSeek AI app.
Connor Jones@The Register - Security - 12h

Wallbleed Flaw Exposes China's Great Firewall Secrets - The Wallbleed vulnerability in China's Great Firewall (GFW) allowed attackers to extract sensitive memory data, revealing insights into its censorship mechanisms.
A newly discovered vulnerability, dubbed Wallbleed, has been found within China's Great Firewall (GFW). This flaw allowed security researchers to access sensitive memory data, exposing internal censorship mechanisms. The vulnerability, an out-of-bounds read bug within the GFW's DNS injection subsystem, leaked up to 125 bytes of memory data from the censorship infrastructure. This provided an unprecedented look into how China censors internet content.

The Wallbleed vulnerability was actively exploited by a team of security professionals and academics starting in October 2021. They used it to learn about the GFW's inner workings, monitoring its infrastructure and observing attempts to patch the hole. This data-leaking flaw revealed insights into the GFW's CPU architecture, plain-text network traffic data extraction, and the capability of capturing traffic from millions of IP addresses in China.

Recommended read:
References :
  • CyberInsider: Wallbleed Flaw in China’s Great Firewall Exposed Private Data
  • The Register - Security: Wallbleed vulnerability unearths secrets of China's Great Firewall 125 bytes at a time
  • Talkback Resources: Wallbleed bug reveals secrets of China's Great Firewall [exp] [net]
@www.recordedfuture.com - 48d

RedDelta Chinese APT Cyber Espionage Operations - Chinese state-sponsored group RedDelta has been targeting Mongolia, Taiwan, and Southeast Asia since July 2023 using spearphishing techniques and evolving cyber threats to distribute its customized PlugX backdoor.
The Chinese state-sponsored cyber espionage group known as RedDelta, also referred to as Mustang Panda, has been actively targeting several countries in Asia and beyond since July 2023. Their operations have primarily focused on Mongolia, Taiwan, and Southeast Asia, but have also extended to Japan, the United States, Ethiopia, Brazil, Australia and India. RedDelta employs sophisticated spearphishing techniques, using lure documents themed around political and cultural events, such as the 2024 Taiwanese presidential candidate Terry Gou, the Vietnamese National Holiday, flood protection in Mongolia and meeting invitations. The group has been observed distributing its customized PlugX backdoor through adapted infection chains, targeting government and diplomatic organizations.

RedDelta has evolved its attack methods over time, initially using Windows Shortcut (LNK) files, transitioning to Microsoft Management Console Snap-In Control (MSC) files in 2024, and most recently using HTML files hosted on Microsoft Azure. Since July 2023 they consistently used the Cloudflare content distribution network (CDN) to proxy command-and-control (C2) traffic in order to blend in with legitimate network activity, making victim identification more difficult. The group’s activities, which have included successful compromises of the Mongolian Ministry of Defense and the Communist Party of Vietnam, align with the Chinese governments strategic priorities in Asia.

Recommended read:
References :
  • malware.news: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • www.recordedfuture.com: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • : RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • www.recordedfuture.com: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • www.recordedfuture.com: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • The Hacker News: RedDelta Deploys PlugX Malware to Target Mongolia and Taiwan in Espionage Campaigns
  • app.recordedfuture.com: Recorded Future: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • osint10x.com: RedDelta Deploys PlugX Malware to Target Mongolia and Taiwan in Espionage Campaigns
  • securityonline.info: RedDelta Leverages PlugX Backdoor in State-Sponsored Espionage Campaigns
@gbhackers.com - 5d

China claims NSA Hacked Northwestern Polytechnical University - Chinese cybersecurity entities accuse the U.S. NSA of a multi-year cyber espionage campaign against Northwestern Polytechnical University, a Chinese aerospace and defense research institution, using phishing emails, malware, and zero-day vulnerabilities to steal data.
Chinese cybersecurity entities are accusing the U.S. National Security Agency (NSA) of orchestrating a multi-year cyber espionage campaign against Northwestern Polytechnical University (NPU), a leading Chinese institution specializing in aerospace and defense research. The allegations, published by organizations such as Qihoo 360 and the National Computer Virus Emergency Response Center (CVERC), claim that the NSA’s Tailored Access Operations (TAO) unit, referred to as “APT-C-40” by Chinese sources, conducted the attack in 2022. The university disclosed the breach in June 2022, reporting phishing emails targeting staff and students as the initial vector.

According to Chinese investigators, the NSA allegedly deployed over 40 malware strains and leveraged zero-day vulnerabilities to gain access. Tools such as NOPEN and SECONDDATE, previously linked to the NSA, were reportedly used to establish persistence and intercept network traffic. Chinese cybersecurity firms attribute the attack to the NSA based on forensic analysis and operational patterns, noting that nearly all attack activity occurred during U.S. business hours, with no activity on weekends or U.S. holidays. A misconfigured script also revealed directory paths linked to TAO’s tools, including a Linux directory associated with NSA operations.

Recommended read:
References :
  • discuss.privacyguides.net: An inside look at NSA (Equation Group) attack on China
  • gbhackers.com: NSA Allegedly Hacked Northwestern Polytechnical University, China Claims
  • Talkback Resources: China’s Cybersecurity Firms Reveal Alleged NSA (Equation Group) Tactics in University Hack [for] [mal]

Blogs

Research Tools